Home IFTTT Trend Micro Simply Security Advising You about Malvertising

Advising You about Malvertising

By
Wednesday, August 05, 2015
Read
Add Comment
badsite

This week we learned of concerted a cybercriminal effort to subvert the Yahoo ad network, which could have affected the 6.9 billion monthly visitors to their site. The threat actors behind this attack utilized a few threats we’ve seen recently, such as malvertisements and exploit kits.

Malvertisements are malicious ads designed and placed by cybercriminals to affect users who visit the sites where the ads are hosted, effectively subverting the advertising supply chain. In this case, criminals used sites for Microsoft Azure, which is likely to attract a high number of users, increasing the volume of potential targets. This technique is seen often; threat actors taking advantage of high visibility topics and compromising associated sites. The actors also affected the Yahoo ad network, one of the largest ad networks in the world, likely assuring them of a high infection rate. Malvertisements also work in ways that allow the infection to occur regardless of users clicking on a malicious ad. This allows the attackers to infect unsuspecting users with no interaction other than connecting to the affected webpages.

Exploit kits are being used more frequently by the threat actors as they are easy to source and are not very expensive to obtain. In this particular attack, the Angler exploit kit was used to infect victims who browsed the compromised webpages. The authors of these exploit kits are adding new vulnerabilities very quickly after they are divulged. As you can see below, many of the new Adobe Flash vulnerabilities disclosed this year were added to the Angler exploit kit.

Angler

In particular, CVE-2015-0313 was found being exploited in a very similar attack earlier this year. Attackers leveraged this exploit kit using malvertisements set up on a compromised website.

Another trend in threat actors is the arrangement of malicious chains to ensure maximum infection rates by employing several key tactics:

  1. Hosting their initial infection vector on compromised websites. This helps with legitimate sites that may not be flagged as malicious due to concerns over false positives. These also tend to be visited by users regularly.
  2. Using malvertisements that do not require the user to click on or download anything to become infected. Advertisements are everywhere, and while most users ignore them, they allow them to run. If they infect the ad network servers, any and all sites that use the ads are affected, versus having to compromise each site one-by-one.
  3. Using exploit kits to serve up multiple vulnerabilities hoping one of them has not been patched. As you see above with Angler, 10 new vulnerabilities in Flash are being used, but these aren’t the only ones used in the kit (IE, Java, Silverlight vulnerabilities are also included). Many users and organizations may not have an effective patch process to deal with the fast turnaround time cybercriminals have with new vulnerabilities.

My advice to users who may be concerned about this attack, or any future attacks using these methods, is to implement a layered security approach that includes the following:

  • Enable web reputation and/or web filtering technology on your endpoints. While Trend Micro may not block the legitimate webpage, we do have technology within our endpoint solutions to block malvertisements themselves. This can help block the initial infection.
  • Implement “Browser Exploit Prevention.” More often we’re seeing criminals exploit webpages by adding exploits that affect the browser. This type of technology can identify known vulnerabilities, as well as the unknown (0-day), through the use of heuristic rules. Trend Micro endpoint security solutions also include this technology.
  • Add virtual patching software. In many cases patches from vendors may not be deployed due to strict patching requirements. Virtual patching technologies will block exploits from attempting to infect the host, allowing users and organizations to ensure their endpoints and servers are protected from exploit kits. Trend Micro’s Deep Security and Vulnerability Protection solutions support this solution.
  • Include custom sandbox technology. This tactic causes malware to explode inside a safe environment. We’ve seen many instances where our Deep Discovery solution has been able to identify a malicious download or a weaponized email attachment before it is able to infect our customers, even when the malware is unknown (0-day).

Today’s threats are multifaceted and as such any one piece of technology, like antimalware, is not sufficient to fully protect you. Implementing a multi-layered approach helps minimize your risk of becoming the next victim, whether that means multiple technologies supported within an endpoint security solution or adding multiple security solutions across your network.

While this is not a new threat, it does allow us to be reminded that threat actors will use what works and use tactics specifically designed to improve their infection rates. Trend Micro will continue to improve our protection capabilities to ensure our customers have minimal risk of infection.

Please add your thoughts in the comments below or follow me on Twitter; @jonlclay.



from Trend Micro Simply Security http://ift.tt/1M5FN4i
via IFTTT
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us